Codenotary launched SBOM Operator for Kubernetes in both its open source Community Attestation Service, as well as Codenotary’s Trustcenter, the company’s flagship product, that mitigates the risk of software supply chain attacks by tracking all software and software dependencies running in Kubernetes.
Codenotary provides the easiest way to generate SBOMs (Software Bill of Materials) of running container images and maintaining up-to-date records of all builds, and dependencies. This allows for immediate risk mitigation in the event that unwanted, dangerous or vulnerable artifacts are detected.
All SBOM information is continuously updated and versioned to include any changes in deployments, then stored in a tamper-proof, auditable database. That information is instantly available for search so that the location of software artifacts can be pinpointed in seconds, and the history of image content changes verified, which is essential to maintaining a secure software supply chain.
The new SBOM Operator for Kubernetes helps enterprises comply with the U.S. Executive Order on Improving the Nation’s Cybersecurity, which includes maintaining a Software Bill of Materials (SBOM), as well as the SLSA security framework to ensure trust in the software supply chain.
“By itself, the SBOM is not very useful without continuously being updated and maintained as the information is deprecated with every new deployment or update,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary. “Now, users know exactly what is running in containers, with the most recent information so they have the ability to immediately remediate something if necessary.”
SBOM Operator is an open source community project – supported by Codenotary – to store SBOM information about container images as files in a Git repository and has been extended to support both Community Attestation Service, as well as Trustcenter, which are tamper-proof, versioned and fully searchable.
“I am pleased to contribute to the wider adoption and use of SBOMs with the Codenotary integration in my Kubernetes operator, especially the additional security, timestamp and search capabilities across the infrastructure were key to developing the extension,” said Christian Kotzbauer.
Codenotary provides tools for cataloging and trusting components of the software development lifecycle which help attest to the origin and safety of the code. The company further enhances this core functionality by providing an additional tamper-proof layer which processes and stores millions of transactions per second, on-premises or as a cloud service, and with cryptographic verification.
It gives developers and DevOps engineers a way to attach a Software Bill of Materials (SBOM) for development artifacts that include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.